Dato CMS Web Previews plugin allows malicious users to load unauthorized content

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.8

Dato CMS Web Previews plugin allows malicious users to load unauthorized content

CVE-2026-3327

Summary

A security issue in the Dato CMS Web Previews plugin allows an authenticated user to bypass restrictions and load any website into the preview, potentially leading to data leaks or other security risks. This affects versions of the plugin before 1.0.31. To stay secure, update the plugin to the latest version.

Original title

Original description

Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restriction enforced on the configured frontend URL, enabling the loading of arbitrary external resources or origins. This issue affects Web Previews < v1.0.31.

nvd CVSS4.0 4.8

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://github.com/datocms/plugins/commit/7965eebf0973cc5ebb18bc5ff9ce7ff19e89bb...

Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026